private regkeyeffectiverights_item CreateItemTypeFromWinACE(object collectedData, string regHive, string regKey, string collectedSid)
{
WMIWinACE systemData = (WMIWinACE)collectedData;
return(new regkeyeffectiverights_item()
{
status = StatusEnumeration.exists,
hive = new EntityItemRegistryHiveType()
{
Value = regHive
},
key = OvalHelper.CreateItemEntityWithStringValue(regKey),
trustee_sid = OvalHelper.CreateItemEntityWithStringValue(collectedSid),
access_system_security = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.ACCESS_SYSTEM_SECURITY),
standard_delete = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.DELETE),
standard_read_control = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.READ_CONTROL),
standard_synchronize = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.SYNCHRONIZE),
standard_write_dac = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.WRITE_DAC),
standard_write_owner = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.WRITE_OWNER),
generic_all = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.GENERIC_ALL),
generic_execute = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.GENERIC_EXECUTE),
generic_read = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.GENERIC_READ),
generic_write = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.GENERIC_WRITE),
key_create_link = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_CREATE_LINK),
key_create_sub_key = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_CREATE_SUB_KEY),
key_enumerate_sub_keys = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_ENUMERATE_SUB_KEYS),
key_notify = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_NOTIFY),
key_query_value = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_QUERY_VALUE),
key_set_value = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_SET_VALUE),
key_wow64_32key = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_WOW64_32KEY),
key_wow64_64key = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_WOW64_64KEY)
});
}
private WMIWinACE CreateEffectiveRightsFromGrantAndDenyDACLsCombination(WMIWinACE denyDACL, WMIWinACE grantDACL)
{
var effectiveDACL = new WMIWinACE();
effectiveDACL.ACCESS_SYSTEM_SECURITY = denyDACL.ACCESS_SYSTEM_SECURITY ? false : grantDACL.ACCESS_SYSTEM_SECURITY;
effectiveDACL.DELETE = denyDACL.DELETE ? false : grantDACL.DELETE;
effectiveDACL.FILE_ADD_FILE = denyDACL.FILE_ADD_FILE ? false : grantDACL.FILE_ADD_FILE;
effectiveDACL.FILE_ADD_SUBDIRECTORY = denyDACL.FILE_ADD_SUBDIRECTORY ? false : grantDACL.FILE_ADD_SUBDIRECTORY;
effectiveDACL.FILE_APPEND_DATA = denyDACL.FILE_APPEND_DATA ? false : grantDACL.FILE_APPEND_DATA;
effectiveDACL.FILE_DELETE_CHILD = denyDACL.FILE_DELETE_CHILD ? false : grantDACL.FILE_DELETE_CHILD;
effectiveDACL.FILE_EXECUTE = denyDACL.FILE_EXECUTE ? false : grantDACL.FILE_EXECUTE;
effectiveDACL.GENERIC_EXECUTE = denyDACL.GENERIC_EXECUTE ? false : grantDACL.GENERIC_EXECUTE;
effectiveDACL.GENERIC_READ = denyDACL.GENERIC_READ ? false : grantDACL.GENERIC_READ;
effectiveDACL.GENERIC_WRITE = denyDACL.GENERIC_WRITE ? false : grantDACL.GENERIC_WRITE;
effectiveDACL.GENERIC_ALL = denyDACL.GENERIC_ALL ? false : grantDACL.GENERIC_ALL;
effectiveDACL.FILE_LIST_DIRECTORY = denyDACL.FILE_LIST_DIRECTORY ? false : grantDACL.FILE_LIST_DIRECTORY;
effectiveDACL.FILE_READ_ATTRIBUTES = denyDACL.FILE_READ_ATTRIBUTES ? false : grantDACL.FILE_READ_ATTRIBUTES;
effectiveDACL.FILE_READ_DATA = denyDACL.FILE_READ_DATA ? false : grantDACL.FILE_READ_DATA;
effectiveDACL.FILE_READ_EA = denyDACL.FILE_READ_EA ? false : grantDACL.FILE_READ_EA;
effectiveDACL.FILE_TRAVERSE = denyDACL.FILE_TRAVERSE ? false : grantDACL.FILE_TRAVERSE;
effectiveDACL.FILE_WRITE_ATTRIBUTES = denyDACL.FILE_WRITE_ATTRIBUTES ? false : grantDACL.FILE_WRITE_ATTRIBUTES;
effectiveDACL.FILE_WRITE_DATA = denyDACL.FILE_WRITE_DATA ? false : grantDACL.FILE_WRITE_DATA;
effectiveDACL.FILE_WRITE_EA = denyDACL.FILE_WRITE_EA ? false : grantDACL.FILE_WRITE_EA;
effectiveDACL.READ_CONTROL = denyDACL.READ_CONTROL ? false : grantDACL.READ_CONTROL;
effectiveDACL.SYNCHRONIZE = denyDACL.SYNCHRONIZE ? false : grantDACL.SYNCHRONIZE;
effectiveDACL.WRITE_DAC = denyDACL.WRITE_DAC ? false : grantDACL.WRITE_DAC;
effectiveDACL.WRITE_OWNER = denyDACL.WRITE_OWNER ? false : grantDACL.WRITE_OWNER;
// Like OvalDI, the "Generic All" permission is equal to "File Read Data" permission. It needs to be reviewed.
return(effectiveDACL);
}
/// <summary>
/// Converts a Discretionary Access Mask into WMIWinACE struct.
/// </summary>
/// <param name="bitwiseAccessMask">The source access mask as unassigned integer;</param>
/// <returns>It returns a WMIWinACE struct with all object access rights calculated from Access Mask.</returns>
public WMIWinACE GetSecurityDescriptorFromAccessMask(uint bitwiseAccessMask)
{
WMIWinACE result = new WMIWinACE()
{
AccessMask = bitwiseAccessMask
};
result.CalculateFileAccessRightsFromAccessMask();
result.CalculateRegistryKeyAccessRightsFromAccessMask();
return(result);
}
/// <summary>
/// Creates a list of WinACEs objects from security descriptor management object.
/// </summary>
/// <param name="rootManagementObject">The result of invoked method which returns the Security Descriptor as ManagementBaseObject.</param>
/// <param name="trusteeName">The username formatted such as: "[DOMAIN]\[USERNAME]". For local users use the machine name on [DOMAIN]</param>
/// <returns>Returns a List of WMIWinACE objects.</returns>
public virtual IEnumerable <WMIWinACE> GetAllSecurityDescriptorsFromManagementObject(object rootManagementObject)
{
var ACLs = this.getACLFromManagementObject((ManagementBaseObject)rootManagementObject);
var result = new List <WMIWinACE>();
foreach (var acl in ACLs)
{
var newWinACE = new WMIWinACE()
{
AccessMask = this.getPropertyValueAsUnsiggnedInteger(acl, "AccessMask"),
AceFlags = this.getPropertyValueAsUnsiggnedInteger(acl, "AceFlags"),
AceType = this.getPropertyValueAsUnsiggnedInteger(acl, "AceType"),
Trustee = this.getWinTrusteeFromManagementObject((ManagementBaseObject)acl.Properties["Trustee"].Value)
};
newWinACE.CalculateFileAccessRightsFromAccessMask();
result.Add(newWinACE);
}
return(result);
}
private void AdjustGenericRights(WMIWinACE userEffectiveRights)
{
userEffectiveRights.GENERIC_READ =
userEffectiveRights.READ_CONTROL ||
userEffectiveRights.FILE_READ_ATTRIBUTES ||
userEffectiveRights.FILE_READ_DATA ||
userEffectiveRights.FILE_READ_EA;
userEffectiveRights.GENERIC_WRITE =
userEffectiveRights.WRITE_OWNER ||
userEffectiveRights.WRITE_DAC ||
userEffectiveRights.FILE_WRITE_ATTRIBUTES ||
userEffectiveRights.FILE_WRITE_DATA ||
userEffectiveRights.FILE_APPEND_DATA ||
userEffectiveRights.FILE_WRITE_EA;
userEffectiveRights.GENERIC_EXECUTE = userEffectiveRights.FILE_EXECUTE;
userEffectiveRights.GENERIC_ALL =
userEffectiveRights.GENERIC_READ ||
userEffectiveRights.GENERIC_WRITE ||
userEffectiveRights.GENERIC_EXECUTE;
}
public void Should_be_possible_to_map_AceFlags_to_AuditEventStatusEnum()
{
var noneAuditPolicy = new WMIWinACE {
AceFlags = 0
};
var successAuditPolicy = new WMIWinACE()
{
AceFlags = 64
};
var failureAuditPolicy = new WMIWinACE()
{
AceFlags = 128
};
var allAuditPolicy = new WMIWinACE()
{
AceFlags = 192
};
Assert.AreEqual(AuditEventStatus.AUDIT_NONE, noneAuditPolicy.AuditEventPolicy);
Assert.AreEqual(AuditEventStatus.AUDIT_SUCCESS, successAuditPolicy.AuditEventPolicy);
Assert.AreEqual(AuditEventStatus.AUDIT_FAILURE, failureAuditPolicy.AuditEventPolicy);
Assert.AreEqual(AuditEventStatus.AUDIT_SUCCESS_FAILURE, allAuditPolicy.AuditEventPolicy);
}
/// <summary>
/// Creates a list of WinACEs objects from security descriptor management object.
/// </summary>
/// <param name="rootManagementObject">The result of invoked method which returns the Security Descriptor as ManagementBaseObject.</param>
/// <param name="trusteeName">The username formatted such as: "[DOMAIN]\[USERNAME]". For local users use the machine name on [DOMAIN]</param>
/// <returns>Returns a List of WMIWinACE objects.</returns>
public virtual IEnumerable <WMIWinACE> GetSecurityDescriptorsFromManagementObject(object rootManagementObject, string userTrusteeName, WmiDataProvider wmiProvider)
{
ManagementBaseObject[] ACLs = this.getACLFromManagementObject((ManagementBaseObject)rootManagementObject);
var result = new List <WMIWinACE>();
foreach (var acl in ACLs)
{
var aclTrustee = (ManagementBaseObject)acl.Properties["Trustee"].Value;
if (this.DoesACLBelongToUser(aclTrustee, userTrusteeName, wmiProvider))
{
WMIWinACE newWinACE = new WMIWinACE();
newWinACE.AccessMask = this.getPropertyValueAsUnsiggnedInteger(acl, "AccessMask");
newWinACE.AceFlags = this.getPropertyValueAsUnsiggnedInteger(acl, "AceFlags");
newWinACE.AceType = this.getPropertyValueAsUnsiggnedInteger(acl, "AceType");
newWinACE.Trustee = this.getWinTrusteeFromManagementObject(aclTrustee);
newWinACE.CalculateFileAccessRightsFromAccessMask();
result.Add(newWinACE);
}
}
return(result);
}
public override void FillItemTypeWithData(object collectedData)
{
WMIWinACE systemData = (WMIWinACE)collectedData;
regkeyeffectiverights_item buildingItemType = (regkeyeffectiverights_item)base.BuildingItemType;
buildingItemType.access_system_security = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.ACCESS_SYSTEM_SECURITY);
buildingItemType.standard_delete = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.DELETE);
buildingItemType.standard_read_control = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.READ_CONTROL);
buildingItemType.standard_synchronize = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.SYNCHRONIZE);
buildingItemType.standard_write_dac = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.WRITE_DAC);
buildingItemType.standard_write_owner = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.WRITE_OWNER);
buildingItemType.generic_all = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.GENERIC_ALL);
buildingItemType.generic_execute = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.GENERIC_EXECUTE);
buildingItemType.generic_read = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.GENERIC_READ);
buildingItemType.generic_write = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.GENERIC_WRITE);
buildingItemType.key_create_link = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_CREATE_LINK);
buildingItemType.key_create_sub_key = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_CREATE_SUB_KEY);
buildingItemType.key_enumerate_sub_keys = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_ENUMERATE_SUB_KEYS);
buildingItemType.key_notify = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_NOTIFY);
buildingItemType.key_query_value = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_QUERY_VALUE);
buildingItemType.key_set_value = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_SET_VALUE);
buildingItemType.key_wow64_32key = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_WOW64_32KEY);
buildingItemType.key_wow64_64key = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_WOW64_64KEY);
}
public void When_AceFlags_is_not_set_the_audit_event_status_must_be_equals_to_EMPTY()
{
var WinACE = new WMIWinACE();
Assert.AreEqual(AuditEventStatus.EMPTY, WinACE.AuditEventPolicy);
}
